kernel/kernel_Notes
1
0
Fork 0
mirror of https://github.com/beyondx/Notes.git synced 2026-02-12 14:56:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add New Notes

Browse Source
This commit is contained in:
geekard
2012-08-08 14:26:04 +08:00
commit 5ef7c20052
2374 changed files with 276187 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

195
Zim/Utils/ip/Owning_the_network_with_Linux.txt Normal file
View File

@@ -0,0 +1,195 @@
Content-Type: text/x-zim-wiki
Wiki-Format: zim 0.4
Creation-Date: 2012-07-12T16:36:24+08:00
====== Owning the network with Linux ======
Created Thursday 12 July 2012
http://people.debian.org/~ultrotter/talks/dc10/networking.html
Owning the network with Linux
And scaring proprietary-only people, in the process!
Guido Trotter <ultrotter@debian.org>
Debian, Google, Ganeti, and such
===== Once upon a time =====
* Expensive proprietary devices ran the network
* Linux started being used on servers, in the data centres
* Managers, Windows, and Unix sysadmins were scared
* ...
* But network people felt safe
===== Why this talk =====
* Networking is fun
* Documentation is scarce, fragmented, and outdated
* I was too lazy to write documentation myself ;)
===== A few precautions =====
* Yes, you can do this at home
But if you want to do it in a corporation:
* Don't propose it during coffee or lunch
* Make sure your networking people are seated
* Understand the consequences
* Enjoy the lack of documentation, be ready to experiment :)
===== Old reliables =====
//# Interfaces://
//ip addr add 192.168.3.1/24 dev eth0//
//ip link set eth0 up//
//# Bridging://
//brctl addbr br0//
//brctl addif br0 eth0//
//brctl show//
//# Routing://
//ip route//
//echo 1 > /proc/sys/net/ipv4/conf/all/forwarding//
//echo 1 > /proc/sys/net/ipv6/conf/all/forwarding//
===== Overview =====
VLANs
Tunneling
Policy routing and asymmetric routing
Routing daemons and anycast
Load balancing
Network namespaces
VLAN Tagging
Get access to multiple ethernets, over a single port
Useful, for example, for:
Acting as a router/firewalling bridge with only one ethernet interface
Insulating VMs by connecting them to different network segments
# your switch must be either very dumb, or quite helpful
ip link add link eth0 name eth0.3 type vlan id 3
ip addr add 192.168.3.1/24 dev eth0.3
ip link set eth0.3 up
# ...and now play with it (bridge it, route it, etc)
Tunneling
Transmitting IP over IP
Creating overlay networks
Allows mobility, changing the network shape, etc
Basic tunneling
On host0 (172.16.15.33):
ip tunnel add gre0 mode gre local 172.16.15.33 \
remote 172.16.22.9 key 42 dev eth0
ip addr add 192.168.4.1 peer 192.168.4.2 dev gre0
ip link set gre0 up
On host1 (172.16.22.9):
ip tunnel add gre0 mode gre local 172.16.22.9 \
remote 172.16.15.33 key 42 dev eth0
ip addr add 192.168.4.2 peer 192.168.4.1 dev gre0
ip link set gre0 up
Unbound tunneling
# on each hostN (<ipN>):
ip tunnel add gre0 mode gre key 42 dev eth0
ip addr add 192.168.4.<N>/24 dev gre0
ip link set gre0 up
# for multicast, add to tunnel add:
# local <ipN> remote 224.66.66.66
# for neighbor table lookup:
ip neigh replace 192.168.4.<N> lladdr <ipN> \
nud permanent dev gre0
# Also doable via a specialized arpd (eg. opennhrp)
Policy routing
Maintain different routing tables (statically or dynamically)
Route different packets according to a different routing table
Choose depending on source interface, addresses, or iptables rules
For example route your virtual machine packets differently than the host's
"Basic" policy routing
ip rule add dev gre0 table 100
ip rule add dev tun0 table 100
ip route replace table 100 proto static \
192.168.4.0/24 dev gre0
ip route replace table 100 proto static \
192.168.5.0/24 dev gre0 via 192.168.4.254 onlink
# Default routing via gateway
ip route replace table 100 proto static default \
dev gre0 via 192.168.4.254 onlink
More policy routing
# Policy routing specific packets:
ip rule add fwmark 100 table 100
iptables -t mangle -I OUTPUT -d 192.168.4.0/24 \
-p icmp --icmp-type fragmentation-needed \
-j MARK --set-mark 100
# Asymmetric policy routing
ip route replace table 100 proto static \
throw 192.168.0.0/16
Routing daemons
Integrate with your network's dynamic topology
Acquire routes
Push routes
For hosted VMs
For NBMA networks we're a gateway for
For anycast services we run or load balance
Quagga
apt-get install quagga
look at /usr/share/doc/quagga/examples/
test it with multiple VMs running it
try different routing protocols (usually you want OSPF or BGP)
interact with it with static routes, or your own daemon
Anycast
Running an IP service in multiple locations
Decreases latency, increases availability
Just publish the route from more than one place
...yes, it's that easy.
Load balancing
Can be done in-kernel thanks to the LVS infrastructure
http://www.linuxvirtualserver.org/
Worst name ever? ;)
Good documentation, though, for once!
Can load balance via NAT, Tunneling, or Direct Routing
Network namespaces
Make a process (and its children) see network interfaces of its own.
Can be done passing CLONE_NEWNET to clone()
For more on namespaces:
lxc automates lots of this for you
Check CLONE_NEW* under clone(2)
Network namespaces
# shell1:
lxc-unshare -s NETWORK -- /bin/bash
ip link set lo up
# ...wait for shell2...
ip addr add 192.168.4.2 peer 192.168.4.1 dev veth1
ip link set veth1 up
# In the meantime, on another shell (shell2):
ip link add name veth0 type veth \
peer name veth1 netns <pid>
ip addr add 192.168.4.1 peer 192.168.4.2 dev veth0
ip link set veth0 up
Userspace fun
OpenVPN: encrypted ip or ethernet tunnels
VDE: userspace virtual switch
socat: 'nc' on steroids
Q&A
Did I miss anything?
Do you have suggestions/hints?
Any other question? (won't promise to have an answer) :)

305
Zim/Utils/ip/Tunnels_with_iproute2.txt Normal file
View File

@@ -0,0 +1,305 @@
Content-Type: text/x-zim-wiki
Wiki-Format: zim 0.4
Creation-Date: 2012-07-12T15:42:44+08:00
====== Tunnels with iproute2 ======
Created Thursday 12 July 2012
http://members.ferrara.linux.it/pioppo/howto/iproute2tunnel-en.html
Tunnels with iproute2
by Simone Piunno
===== iproute2 =====
iproute2 is a package for advanced network management under linux. In practice, it is composed of a bunch of small utilities to dinamically configure the kernel by means of __rtnetlink sockets__ - a modern and powerful interface for the configuration of the networking stack implemented by Alexey Kuznetsov starting from the 2.2 kernel series.
The most interesting feature of iproute2 is that it replaces with __a single integrated and organic command__ all the functionalities we were used to find in ifconfig, arp, route and iptunnel (and it even adds some more!).
Nowadays iproute2 is installed by default on most major distributions, even if their __initialization scripts__ are still built on commands from the old __net-tools__ package (e.g. ifconfig or iptunnel - the latter is actually deprecated). If your distribution doesn't include this important package, you can always download it from ftp://ftp.inr.ac.ru/ip-routing/ and compile it yourself.
As the time of this writing, the worst defect of iproute2 is a relative lack of documentation, partially compensated by the fact that the syntax of the ip command is very easy and similar to the english language. We believe that people used to ifconfig and route shouldn't encounter any problem using ip and that they will feel at home in a matter of hours. In this document we will suppose that the reader has already a good knowledge of basic networking concepts and has used ifconfig and route in the past.
===== Introduction tu tunnels =====
Let's imagine two Internet nodes wanting to exchange data traffic over a protocol different from IPv4 or directed to a private LAN using non-globally-valid IP addresses. This problem is typically solved using __a virtual point-to-point connection__ between the two nodes and we call this configuration __a tunnel__.
You can think to every packet traveling over the network like it was an envelope with a few bits inside and the sender's and receiver's addresses written on. Tunnels simply hide this envelope inside an additional one, with different sender and receiver, effectively diverting the packet's trip. When the packet arrives to the external receiver (the one written on the external envelope), the external envelope is removed and thrown away, so that the packet can continue its travel to the real destinantion.
The two nodes putting and removing the additional envelope are called __endpoints__ and need to __have a known IPv4 address__. This is why tunnels generally don't work when traversing **a network address translation (NAT)**. Moreover, if the tunnel is built throuh a firewall, the latter must be configured ad hoc to permit this kind of traffic.
A typical tunnel usage is connecting two IPv6 nodes through an IPv4-only network. The two nodes can build an IPv6-in-IPv4 tunnel pretending to have a real direct point-to-point IPv6 connection, and this way they can link together two IPv6 islands (6bone works this way, a web of tunnels). Tunnels for IPv6-over-IPv4 transport come in two different flawors: automatic (RFC2373) and manually configured. In this document we will talk only of the latter type.
==== Creating tunnels ====
Creating tunnels with iproute2 is very easy. First of all you need a name for your tunnel. If you choose to name it foo then you can create the tunnel with the command:
**ip tunnel add foo mode sit remote 192.168.1.42**
This way, you created a __sit (IPv6-in-IPv4)__ tunnel with a remote endpoint at the IP address 192.168.1.42. Notice that we have not specified which IP address to use for the local side of the tunnel, which interface, and so on. The result can be viewed with the command ip tunnel show:
**[root@abulafia root]# ip tunnel show**
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
foo: ipv6/ip remote 192.168.1.42 local any ttl inherit
Our tunnel is the one in the 2nd row. Now we can also ask a list of all available interfaces, regardless if they are real network adapters or __software simulations__:
[root@abulafia root]# ip link show
1: lo: <loopback,up> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <broadcast,multicast,up> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
4: sit0@none: <noarp> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
6: foo@none: <pointopoint,noarp> mtu 1480 qdisc noop
link/sit 0.0.0.0 **peer 192.168.1.42**
The fact that should get your attention is that while lo and eth0 are marked as being up, our tunnel is not. To double check, the good old ifconfig says only:
[root@abulafia root]# ifconfig
eth0 link encap:ethernet hwaddr 00:48:54:1b:25:30
inet addr:192.168.0.1 bcast:192.168.0.255 mask:255.255.255.0
inet6 addr: fe80::248:54ff:fe1b:2530/10 scope:link
up broadcast running multicast mtu:1500 metric:1
rx packets:0 errors:0 dropped:0 overruns:0 frame:0
tx packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
rx bytes:0 (0.0 b) tx bytes:528 (528.0 b)
interrupt:9 base address:0x5000
lo link encap:local loopback
inet addr:127.0.0.1 mask:255.0.0.0
inet6 addr: ::1/128 scope:host
up loopback running mtu:16436 metric:1
rx packets:35402 errors:0 dropped:0 overruns:0 frame:0
tx packets:35402 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
rx bytes:3433996 (3.2 mb) tx bytes:3433996 (3.2 mb)
So we must remember that the ip link command shows __all available interfaces__, regardless of them being activated or not. To activate foo, we use the command:
**ip link set foo up**
and to deactivate it:
**ip link set foo down**
To completely discard our tunnel we use:
**ip tunnel del foo**
===== Special tunnels =====
In the previous paragraph, we've seen how to build an IPv6-in-IPv4 tunnel, now we'll examine a few different situations.
===== 4.1. GRE tunnels =====
If you don't need IPv6 but for example you want to carry normal IPv4 traffic through a non-cooperating transit network, then you'd better use mode gre instead of mode sit. For example:
[root@abulafia root]# ip tunnel add foo4 mode gre remote 192.168.1.42
[root@abulafia root]# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
foo4: gre/ip remote 192.168.1.42 local any ttl inherit
[root@abulafia root]# ip link show
1: lo: <loopback,up> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <broadcast,multicast,up> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
7: gre0@none: <noarp> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
9: foo4@none: <pointopoint,noarp> mtu 1476 qdisc noop
link/gre 0.0.0.0 peer 192.168.1.42
GRE is a particular tunnelling protocol supported by Cisco routers which is capable to __carry different protocols over IPv4__. There's another kind of tunnels implemented by linux: __ipip__. The latter is also useful for IPv4-in-IPv4 encapsulation, but it's implemented only by linux and does only unicast IP over IP (so you can't transport for example IPX or broadcasts). In general, GRE is better.
===== 4.2. Explicit local endpoint =====
Even if the kernel is smart enough to choose for you, it could be a good idea to explicitly force the local IP address and interface we're going to use for tunneling. To do that, we can use the local and dev parameters:
**[root@abulafia root]# ip tunnel add foo mode sit local 192.168.0.1 remote 192.168.1.42 dev eth0**
[root@abulafia root]# ip tunnel show
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
foo: ipv6/ip remote 192.168.1.42 local 192.168.0.1 dev eth0 ttl inherit
[root@abulafia root]# ip link show
1: lo: <loopback,up> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <broadcast,multicast,up> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
4: sit0@none: <noarp> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
11: __foo@eth0__: <pointopoint,noarp> mtu 1480 qdisc noop
link/sit 192.168.0.1 peer 192.168.1.42
Please notice that now the interface is labeled as foo@eth0, to remind us where the tunnel has been explicitly connected.
===== 4.3. Time-to-live =====
When using tunnels, creating accidental loops in the network it's easy. To limit the problem, it's fundamental to generate packets with __a low TTL value__. Initial TTL can be specified by **the ttl parameter** in ip tunnel add. The default value is inherited from the network interface the tunnel is associated to. The Internet Assigned Numbers Authority suggests using 64 for TTL.
===== 5. Assigning an IP address to the interface =====
Like any other network interface, tunnels can have one or more addresses assigned to them.
==== 5.1. Main address ====
Assigning the main address is straightforward:
ip addr add 3ffe:9001:210:3::42/64 dev foo
ip addr add 192.168.0.2/24 dev foo4
ip addr add 10.20.30.40/8 dev eth0
The number immediately following the slash is to suggest to the kernel the network prefix we prefer, useful to __automatically compute broadcast address and netmask__ on IPv4 LANs (this is called CIDR notation). However, tunnels are point-to-point interfaces and this number is then ignored.
Note: to be able to assign an IP address to an interface, first you need to activate the interface using ip link set interfacename up.
To remove an address from an interface, you can obviously use del instead of add:
ip addr del 3ffe:9001:210:3::42/64 dev foo
ip addr del 192.168.0.2/24 dev foo4
We can even ask for a list of all the IP addresses in use on our server:
[root@abulafia root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
inet6 fe80::248:54ff:fe1b:2530/10 scope link
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
5: foo@NONE: <POINTOPOINT,NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 peer 192.168.1.42
inet6 3ffe:9001:210:3::42/64 scope global
inet6 fe80::c0a8:1/10 scope link
==== 5.2. Aliasing ====
When using multiple addresses on a single interface, people used to ifconfig will be surprised noting that multiple ip addr add commands __do not__ generate fictitious interfaces like eth0:1, eth0:2 and so on. This is __a legacy naming scheme__ coming from the 2.0 kernel version and nowadays no more mandated. For example:
[root@abulafia root]# ip addr add 192.168.0.11/24 dev eth0
[root@abulafia root]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
inet 192.168.0.11/24 scope global __secondary__ eth0
inet6 fe80::248:54ff:fe1b:2530/10 scope link
[root@abulafia root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:48:54:1B:25:30
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::248:54ff:fe1b:2530/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:528 (528.0 b)
Interrupt:9 Base address:0x5000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34732 errors:0 dropped:0 overruns:0 frame:0
TX packets:34732 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3386912 (3.2 Mb) TX bytes:3386912 (3.2 Mb)
foo Link encap:IPv6-in-IPv4
inet6 addr: 3ffe:9001:210:3::42/64 Scope:Global
inet6 addr: fe80::c0a8:1/10 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Our addictional IP address is reported by ip addr show and works, but **ifconfig doesn't even know of its existence**! To solve the problem we can use the label parameter:
[root@abulafia root]# ip addr add 192.168.0.11/24 __label eth0:1__ dev eth0
[root@abulafia root]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
inet 192.168.0.11/24 scope global secondary eth0:1
inet6 fe80::248:54ff:fe1b:2530/10 scope link
[root@abulafia root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:48:54:1B:25:30
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::248:54ff:fe1b:2530/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:528 (528.0 b)
Interrupt:9 Base address:0x5000
**eth0:1** Link encap:Ethernet HWaddr 00:48:54:1B:25:30
inet addr:192.168.0.11 Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0x5000
Notice that we can choose any arbitrary string as the label. We're not forced to use the 2.0 naming scheme; we must comply to it only if we care having __backward compatibility with ifconfig__.
==== 5.3. Which IP for the tunnel. ====
Choosing a __global/public__ IP address (respectively an IPv6 address for SIT/IPv6-in-IPv4 tunnels and an IPv4 address for GRE/IPv4-in-IPv4 tunnels) for the local endpoint of the tunnel is probably the best thing we can do when our computer is a single host and not a router providing IPv6 connectivity to a whole LAN.
Instead, if we're configuring a router, we'd better use __a link-local address__ for SIT/IPv6-in-IPv4 tunnels (in IPv6 link-local addresses are assigned automatically by means of stateless address autoconfiguration or manually configured) and a private address for GRE/IPv4-in-IPv4 tunnels (IPv4 has no link-local addresses). The valid address will then be only on eth0 (or the interface on the LAN side). Notice that in this configuration you need to activate forwarding among interfaces, using these commands:
sysctl -w net.ipv4.conf.all.__forwarding__=1 # for GRE (IPv4-in-IPv4)
sysctl -w net.ipv6.conf.all.forwarding=1 # for SIT (IPv6-in-IPv4)
You can even decide to enable forwarding only between a couple of interfaces, in this case you could use these commands:
sysctl -w net.ipv6.conf.eth0.forwarding=1
sysctl -w net.ipv6.conf.pippo.forwarding=1
===== 6. Routing =====
Now that our tunnel is configured, we have to __specify which traffic will be directed through it__. For IPv6 the most common choice is the following:
**ip route add 2000::/3 **__dev foo__
This way all IPv6 traffic going to addresses starting with 3 bits equal to 001 (that is, all global unicast IPv6 address space) will be directed to the foo interface. This is only one 8th of the available IPv6 address space, but you are guaranteed that every possible remote host will be in this range.
We can see the IPv4 routing table this way:
[root@abulafia root]# ip route
192.168.0.0/24 dev eth0 scope link
127.0.0.0/8 dev lo scope link
and the IPv6 routing table this way:
[root@abulafia root]# ip __-6__ route
2000::/3 dev foo proto kernel metric 256 mtu 1480 advmss 1420
fe80::/10 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
fe80::/10 dev foo proto kernel metric 256 mtu 1480 advmss 1420
ff00::/8 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
ff00::/8 dev foo proto kernel metric 256 mtu 1480 advmss 1420
default dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
unreachable default dev lo metric -1 error -101
If you need to specify a gateway (this is not for tunnels) then you can add the via parameter, for example:
**ip route add 192.168.1.0/24 via 192.168.0.254 dev eth0**
To remove a route you can obviously use __ip route del__ but be careful: if you write __ip route del default__ you're removing the default IPv4 route, not the IPv6 one! To remove the IPv6 default destination you need to use ip -6 route del default.
===== 7. A complete example =====
This is a typical IPv6 tunnel for 6bone:
**ip tunnel add $TUNNEL mode **__sit__** local **__any__** remote $V4_REMOTEADDR ttl **__64__
**ip link set $TUNNEL up**
**ip addr add $V6_LOCALADDR dev $TUNNEL**
**ip route add 2000::/3 dev $TUNNEL**
where $TUNNEL is an arbitrary name assigned to the tunnel, $V4_REMOTEADDR is the IPv4 address of the remote end of the tunnel and $V6_LOCALADDR is the IPv6 local address assigned to our host. We've used the any value for the local endpoint address because this way we can handle a dynamic IPv4 address (e.g. assigned by a dialup connection to the ISP). Obviosly we need to inform our tunnel broker when our address changes but this is out of the scope of this writing, also because there's no general standard procedure.
To shut down the tunnel:
**ip tunnel del $TUNNEL**
also automatically removes the routing entry and the address.
注意:
1. 隧道技术虚拟了一个链路层设备接口所有发往该接口的PDU将被虚拟接口封装后发往隧道的另一端。
2. 添加隧道接口时,隧道两端要一致,如:
Aip tunnel add A-foo mode sit local A-LAN-IP remote B-PUB-IP ttl64.
B: ip tunnel add B-foo mode sit local B-LAN-IP remote A-PUB-IP ttl64.
A,B在配置tunnel时remote参数指定的必须是对方的公网IP。

161
Zim/Utils/ip/ip_addr.txt Normal file
View File

@@ -0,0 +1,161 @@
Content-Type: text/x-zim-wiki
Wiki-Format: zim 0.4
Creation-Date: 2012-07-12T14:19:06+08:00
====== ip addr ======
Created Thursday 12 July 2012
==== 1. 查看帮助: ====
[geekard@kb310 man]$ __ip addr help__
Usage: ip addr {add|change|replace} [local] IFADDR dev STRING [ LIFETIME ] #local缺省参数可以不用指定。
[ CONFFLAG-LIST ]
ip addr del IFADDR dev STRING
ip addr {show|flush} [ dev STRING ] [ scope SCOPE-ID ]
[ to PREFIX ] [ FLAG-LIST ] [ label PATTERN ]
IFADDR := PREFIX | ADDR peer PREFIX
[ broadcast ADDR ] [ anycast ADDR ]
[ label STRING ] [ scope SCOPE-ID ]
SCOPE-ID := [ host | link | global | NUMBER ]
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := [ permanent | dynamic | secondary | primary |
tentative | deprecated | dadfailed | temporary |
CONFFLAG-LIST ]
CONFFLAG-LIST := [ CONFFLAG-LIST ] CONFFLAG
CONFFLAG := [ home | nodad ]
LIFETIME := [ valid_lft LFT ] [ preferred_lft LFT ]
LFT := forever | SECONDS
[geekard@kb310 man]$
注意: ip addr change|replace命令目前并没有实现所以不能使用。
2. ==== 查看IP ====
[geekard@kb310 man]$ __ip addr show__
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.103/24 brd 255.255.255.255 scope global eth0
[geekard@kb310 man]$
==== 3.添加IP ====
为一个接口添加IP地址时**最好采用PREFIX的形式**否则ip命令认为该IP的网络号长度是32这样就不会自动生成广播路由表项。
[geekard@kb310 man]$ __sudo ip addr add 192.168.1.109/24 broadcast 192.168.1.255 dev eth0__
[geekard@kb310 man]$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.103/24 brd 255.255.255.255 scope global eth0
inet 192.168.1.109/24 brd 192.168.1.255 scope global __secondary__ eth0
[geekard@kb310 man]$
如果采用ADDR的形式则**ip将不知道该地址的网络号**,因此不会自动生成广播路由项。
[geekard@kb310 man]$ __sudo ip -s addr add 192.168.3.113 dev eth0; ip addr show__
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.103/24 brd 192.168.1.255 scope global eth0
inet 192.168.1.109/24 brd 192.168.1.255 scope global eth0
inet 192.168.2.109/24 brd 192.168.2.255 scope global eth0
inet 192.168.3.113/__32__ scope global eth0
[geekard@kb310 man]$ ip route show type **broadcast** table __local__
127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.111
192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.111
192.168.2.0 dev eth0 table local proto kernel scope link src 192.168.2.110
192.168.2.255 dev eth0 table local proto kernel scope link src 192.168.2.110
[geekard@kb310 man]$
可见内核并没有自动向local路由表中添加去往192.168.3.0的路由项。另外需要注意的是ip addr add命令__没有netmask参数__因此添加IP时最好使用PREFIX形式例外的情况是__点对点链路(这时peer参数有效)__。
* 一个网络端口可以由多个IP地址它们可以位于不同的子网中而且是相互独立的。
* 同个网络端口虽然可以配置多个不同子网的IP但该端口只能由一个缺省网关外界只能通过其中一个IP访问当该主机端口。
* 同个网络端口配置多个不同子网的IP这一般用于TUN/TAP情况。
==== 4.删除IP ====
删除IP时可以使用两种命令形式
* ip addr del IFADDR dev STRING
* ip addr {show|flush} [ dev STRING ] [ scope SCOPE-ID ]
[ to PREFIX ] [ FLAG-LIST ] [ label PATTERN ]
前一种形式使用的是IFADDR一次只能删除一个IP地址。
后一种形式使用的是to PREFIX如果PREFIX含有后缀则一次可以删除多个IP否则只删除单个IP。
[geekard@kb310 man]$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.113/32 scope global eth0
inet 192.168.2.114/24 scope global eth0
inet 192.168.2.33/24 scope global secondary eth0
[geekard@kb310 man]$ __sudo ip addr del 192.168.2.33/24 dev eth0__;ip addr show #对于ip addr del而言IP地址带不带后缀的效果都是一样的(不带后缀时会出现警告)。
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.113/32 scope global eth0
inet 192.168.2.114/24 scope global eth0
[geekard@kb310 man]$
[geekard@kb310 man]$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.110/24 brd 192.168.2.255 scope global eth0
inet 192.168.3.113/32 scope global eth0
inet 192.168.1.113/24 scope global eth0
inet 192.168.1.114/24 scope global secondary eth0
inet 192.168.2.114/24 scope global secondary eth0
[geekard@kb310 man]$ sudo ip -s addr flush dev eth0 to 192.168.1.1/__24__
*** Round 1, deleting 2 addresses *** #删除了两个含有192.168.1前缀的IP地址
*** Flush is complete after 1 round ***
[geekard@kb310 man]$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.110/24 brd 192.168.2.255 scope global eth0
inet 192.168.3.113/32 scope global eth0
inet 192.168.2.114/24 scope global secondary eth0
[geekard@kb310 man]$ sudo ip -s addr flush dev eth0 to 192.168.2.110
*** Round 1, deleting 1 addresses *** #只删除__一个__IP地址
*** Flush is complete after 1 round ***
[geekard@kb310 man]$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.113/32 scope global eth0
inet 192.168.2.114/24 scope global eth0
[geekard@kb310 man]$

292
Zim/Utils/ip/ip_link.txt Normal file
View File

@@ -0,0 +1,292 @@
Content-Type: text/x-zim-wiki
Wiki-Format: zim 0.4
Creation-Date: 2012-07-12T15:23:27+08:00
====== ip link ======
Created Thursday 12 July 2012
==== 查看帮助: ====
[geekard@kb310 man]$ ip link help
Usage: ip link add [link DEV] [ name ] NAME
[ txqueuelen PACKETS ]
[ address LLADDR ]
[ broadcast LLADDR ]
[ mtu MTU ]
type TYPE [ ARGS ]
ip link delete DEV type TYPE [ ARGS ] #如果是虚拟设备(vlan, bridge等)这里的DEV应该是上面指定的NAME。
ip link set { dev DEVICE | group DEVGROUP } [ { up | down } ]
[ arp { on | off } ]
[ dynamic { on | off } ]
[ multicast { on | off } ]
[ allmulticast { on | off } ]
[ promisc { on | off } ]
[ trailers { on | off } ]
[ txqueuelen PACKETS ]
[ name NEWNAME ]
[ address LLADDR ]
[ broadcast LLADDR ]
[ mtu MTU ]
[ netns PID ]
[ netns NAME ]
[ alias NAME ]
[ vf NUM [ mac LLADDR ]
[ vlan VLANID [ qos VLAN-QOS ] ]
[ rate TXRATE ] ]
[ spoofchk { on | off} ] ]
[ master DEVICE ]
[ nomaster ]
ip link show [ DEVICE | group GROUP ]
TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | can | __bridge__ }
[geekard@kb310 man]$
===== 添加网桥 =====
[geekard@kb310 man]$ __ip link show__
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
[geekard@kb310 man]$ __sudo ip link add link eth0 name demo-bridge type bridge; ip link show__
**#命令行中的link eth0其实不用加。**
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state __UP__ mode DEFAULT qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
10: demo-bridge: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state __DOWN__ mode DEFAULT
link/ether **22:fd:9f:0c:39:97** brd ff:ff:ff:ff:ff:ff
[geekard@kb310 man]$ __sudo ip link set dev demo-bridge up; brctl show__
bridge name bridge id STP enabled interfaces
demo-bridge 8000.000000000000 no
[geekard@kb310 man]$ __ip link show__
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state __UP__ mode DEFAULT qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
10: demo-bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state __UNKNOWN__ mode DEFAULT
link/ether 22:fd:9f:0c:39:97 brd ff:ff:ff:ff:ff:ff
[geekard@kb310 man]$ __sudo brctl addif demo-bridge eth0; ip link show; brctl show__
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast __master demo-bridge__ state __UP__ mode DEFAULT qlen 1000
link/ether __c8:60:00:8a:db:e7__ brd ff:ff:ff:ff:ff:ff
10: demo-bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc noqueue state __UP__ mode DEFAULT
link/ether __c8:60:00:8a:db:e7__ brd ff:ff:ff:ff:ff:ff
bridge name bridge id STP enabled interfaces
demo-bridge 8000.c860008adbe7 no eth0
[geekard@kb310 ~]$ __ping 192.168.1.1__
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=1.08 ms
64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.520 ms
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.520/0.804/1.089/0.285 ms
[geekard@kb310 ~]$
[geekard@kb310 man]$ __sudo ip addr add 192.168.1.244/24 dev demo-bridge; ip addr show__
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast master demo-bridge state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.**103**/24 brd 255.255.255.255 scope global eth0
10: demo-bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc noqueue state UP
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.**244**/24 scope global demo-bridge
[geekard@kb310 man]$
[geekard@kb310 man]$ __ip route show #默认显示的是main路由表中路由__
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.103
192.168.1.0/24 dev demo-bridge proto kernel scope link src 192.168.1.244
[geekard@kb310 man]$ __ip route show table all #显示local、main和default表中路由__
**default via 192.168.1.1 dev eth0 metric 202**
192.168.1.0/24 dev demo-bridge proto kernel scope link src 192.168.1.244
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.103 metric 202
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.103
broadcast 192.168.1.0 dev demo-bridge table local proto kernel scope link src 192.168.1.244
local 192.168.1.103 dev eth0 table local proto kernel scope host src 192.168.1.103
local 192.168.1.244 dev demo-bridge table local proto kernel scope host src 192.168.1.244
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.103
broadcast 192.168.1.255 dev demo-bridge table local proto kernel scope link src 192.168.1.244
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
[geekard@kb310 ~]$
[geekard@kb310 ~]$ brctl show
bridge name bridge id STP enabled interfaces
demo-bridge 8000.c860008adbe7 no eth0
[geekard@kb310 ~]$ ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
64 bytes from 192.168.1.101: icmp_req=1 ttl=64 time=0.959 ms
64 bytes from 192.168.1.101: icmp_req=2 ttl=64 time=0.400 ms
64 bytes from 192.168.1.101: icmp_req=3 ttl=64 time=0.385 ms
64 bytes from 192.168.1.101: icmp_req=4 ttl=64 time=0.440 ms
^C
--- 192.168.1.101 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.385/0.546/0.959/0.239 ms
[geekard@kb310 ~]$
[geekard@kb310 ~]$ ping www.baidu.com
^C
[geekard@kb310 ~]$
[geekard@kb310 ~]$ sudo ip route chang default via 192.168.1.1 dev demo-bridge
Password:
RTNETLINK answers: No such file or directory
[geekard@kb310 ~]$ __sudo ip route add default via 192.168.1.1 dev demo-bridge__
[geekard@kb310 ~]$ __ip route show table all__
**default via 192.168.1.1 dev demo-bridge **
**default via 192.168.1.1 dev eth0 metric 202**
192.168.1.0/24 dev demo-bridge proto kernel scope link src **192.168.1.244**
192.168.1.0/24 dev eth0 proto kernel scope link src **192.168.1.103** metric 202
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.103
broadcast 192.168.1.0 dev demo-bridge table local proto kernel scope link src 192.168.1.244
local 192.168.1.103 dev eth0 table local proto kernel scope host src 192.168.1.103
local 192.168.1.244 dev demo-bridge table local proto kernel scope host src 192.168.1.244
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.103
broadcast 192.168.1.255 dev demo-bridge table local proto kernel scope link src 192.168.1.244
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
[geekard@kb310 ~]$ __ping www.baidu.com__
PING www.a.shifen.com (119.75.218.77) 56(84) bytes of data.
64 bytes from 119.75.218.77: icmp_req=1 ttl=52 time=35.6 ms
64 bytes from 119.75.218.77: icmp_req=2 ttl=52 time=35.6 ms
64 bytes from 119.75.218.77: icmp_req=3 ttl=52 time=35.6 ms
64 bytes from 119.75.218.77: icmp_req=4 ttl=52 time=35.9 ms
^C
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 35.609/35.711/35.917/0.260 ms
[geekard@kb310 ~]$
[geekard@kb310 ~]$ __sudo ip addr del 192.168.1.103/24 dev eth0__
Password:
[geekard@kb310 ~]$ __ping www.baidu.com #因为eth0是默认接口将其删去后对应的DNS和gateway也将删去。__
ping: **unknown host** www.baidu.com
[geekard@kb310 ~]$ __ping 192.168.1.1__
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.465 ms
64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.483 ms
64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.453 ms
^C64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.499 ms
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.453/0.475/0.499/0.017 ms
[geekard@kb310 ~]$ __ping 192.168.1.101 #因为demo-bridge由默认路由所以可以ping通。__
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
64 bytes from 192.168.1.101: icmp_req=1 ttl=64 time=1.12 ms
64 bytes from 192.168.1.101: icmp_req=2 ttl=64 time=0.458 ms
^C
--- 192.168.1.101 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.458/0.792/1.127/0.335 ms
[geekard@kb310 ~]$ __ip route show table all__
**default via 192.168.1.1 dev demo-bridge**
192.168.1.0/24 dev demo-bridge proto kernel scope link src 192.168.1.244
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev demo-bridge table local proto kernel scope link src 192.168.1.244
local 192.168.1.244 dev demo-bridge table local proto kernel scope host src 192.168.1.244
broadcast 192.168.1.255 dev demo-bridge table local proto kernel scope link src 192.168.1.244
fe80::/64 dev eth0 proto kernel metric 256
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0
local fe80::ca60:ff:fe8a:dbe7 via :: dev lo table local proto none metric 0
ff00::/8 dev eth0 table local metric 256
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
[geekard@kb310 ~]$ __sudo dhcpcd demo-bridge #demo-bridge作为一个虚拟的链路层接口可以有自己的MAC和IP。__
dhcpcd[2397]: version 5.5.6 starting
dhcpcd[2397]: demo-bridge: sending IPv6 Router Solicitation
dhcpcd[2397]: demo-bridge: sendmsg: Network is unreachable
dhcpcd[2397]: demo-bridge: broadcasting for a lease
dhcpcd[2397]: demo-bridge: offered 192.168.1.103 from 192.168.1.1 `<60>'
dhcpcd[2397]: demo-bridge: acknowledged 192.168.1.103 from 192.168.1.1 `<60>'
dhcpcd[2397]: demo-bridge: checking for 192.168.1.103
dhcpcd[2397]: demo-bridge: sending IPv6 Router Solicitation
dhcpcd[2397]: demo-bridge: sendmsg: Network is unreachable
dhcpcd[2397]: demo-bridge: leased 192.168.1.103 for 7200 seconds
dhcpcd[2411]: demo-bridge: demo-bridge: MTU set to 576
dhcpcd[2397]: forked to background, child pid 2427
[geekard@kb310 ~]$ __ping www.baidu.com__
PING www.a.shifen.com (119.75.218.77) 56(84) bytes of data.
64 bytes from 119.75.218.77: icmp_req=1 ttl=52 time=35.6 ms
64 bytes from 119.75.218.77: icmp_req=2 ttl=52 time=35.5 ms
^V64 bytes from 119.75.218.77: icmp_req=3 ttl=52 time=35.5 ms
^C64 bytes from 119.75.218.77: icmp_req=4 ttl=52 time=35.5 ms
^C
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 35.519/35.587/35.646/0.045 ms
[geekard@kb310 ~]$ __ip addr show__
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master demo-bridge state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ca60:ff:fe8a:dbe7/64 scope link
valid_lft forever preferred_lft forever
4: demo-bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc noqueue state UP
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.244/24 scope global demo-bridge
**inet 192.168.1.103/24 brd 255.255.255.255 scope global secondary demo-bridge**
[geekard@kb310 ~]$ __sudo ip addr del 192.168.1.103 dev demo-bridge #删除接口的IP时最好带网络后缀否则会出现如下的警告。__
Warning: Executing wildcard deletion to stay compatible with old scripts.
Explicitly specify the prefix length (192.168.1.103/32) to avoid this warning.
This special behaviour is likely to disappear in further releases,
fix your scripts!
[geekard@kb310 ~]$ __ip addr show__
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master demo-bridge state UP qlen 1000
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ca60:ff:fe8a:dbe7/64 scope link
valid_lft forever preferred_lft forever
4: demo-bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc noqueue state UP
link/ether c8:60:00:8a:db:e7 brd ff:ff:ff:ff:ff:ff
**inet 192.168.1.244/24 scope global demo-bridge**
[geekard@kb310 ~]$ __ping www.baidu.com__
PING www.a.shifen.com (119.75.217.56) 56(84) bytes of data.
64 bytes from 119.75.217.56: icmp_req=1 ttl=52 time=36.1 ms
64 bytes from 119.75.217.56: icmp_req=2 ttl=52 time=36.0 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 36.027/36.091/36.156/0.200 ms
[geekard@kb310 ~]$
[geekard@kb310 ~]$ __ip route show__
default via 192.168.1.1 dev demo-bridge
default via 192.168.1.1 dev demo-bridge metric 204
[geekard@kb310 ~]$ __sudo ip route del default via 192.168.1.1 dev demo-bridge metric 204 #删除路由时,信息要完整(包括目的主机)。__
[geekard@kb310 ~]$ ip route show
default via 192.168.1.1 dev demo-bridge
[geekard@kb310 ~]$

275
Zim/Utils/ip/多物理机器中的TAP虚拟网卡在linux_briadge中通过TUP远程通信.txt Normal file
View File

@@ -0,0 +1,275 @@
Content-Type: text/x-zim-wiki
Wiki-Format: zim 0.4
Creation-Date: 2012-07-12T18:30:45+08:00
====== 多物理机器中的TAP虚拟网卡在linux briadge中通过TUP远程通信 ======
Created Thursday 12 July 2012
http://blog.csdn.net/quqi99/article/details/7634192
多物理机器中的TAP虚拟网卡在linux briadge中通过TUP远程通信 ( by quqi99 )
作者:张华 发表于2012-05-06
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
( http://blog.csdn.net/quqi99 )
1 先说单台物理机上如何建一个bridge
1bridge必须桥接一个物理网卡或者一个vlan的网卡 ip link add link eth0 name eth0.1000 type vlan id 1000
2gw200与br200必须是一样的MAC地址及IP因为网桥就是二层的交换机嘛交换机是根据MAC与port的映射来转发帧的
3eth0.1000会在帧上打vlan标签然后再交eth0因为eth0也可以传输其他vlan的数据所有它就相当于一个trunk但这个trunk只限于一台物理机下面将要讲如何通过vtun扩展到多物理机
ip link add link eth0 name eth0.1000 type vlan id 1000
ip link set eth0.1000 up
ip tuntap add gw200 mode tap
ip link set gw200 address 00:21:CC:6D:44:43
ip link set gw200 up
brctl addbr br200
brctl setfd br200 0
brctl stp br200 off
ip link set br200 address 00:21:CC:6D:44:43
ip link set br200 up
brctl addif br200 eth0.1000
brctl addif br200 gw200
ip addr add 3.3.3.1/24 dev br200
ip addr add 3.3.3.1/24 dev gw200
ip tuntap add tap4cce2519-02 mode tap
ip link set tap4cce2519-02 address fa:16:3e:48:31:dc
ip link set tap4cce2519-02 up
brctl addif br200 tap4cce2519-021
2) 测试一是通过libvirt的方法来测
virsh dumpxml instance-00000001:
...
<interface type="ethernet">
<mac address="fa:16:3e:48:31:dc"/>
<script path=""/>
<target dev="tap4cce2519-02"/>
</interface>
...
virsh define instance-00000001.xml
virsh start instance-00000001
如果是bridge可用
<interface type='bridge'>
<mac address='54:52:00:28:56:fa'/>
<source bridge='br0'/>
</interface>
如果是用qemu的话就只有tap接口若是多台物理机可能用它测就是问题这时候可用上面libvirt的网桥。
qemu-kvm -net nic,macaddr=fa:16:3e:48:31:dc -net tap,ifname=tap4cce2519-02 disk1.img vnc :1
用vncviewer localhost:5901登录即可看到图形化界面
3) 虚机启后配置IP及网关即可测试
sudo ifconfig eth0 3.3.3.4 broadcast 3.3.3.255 netmask 255.255.255.0
route add default gw 3.3.3.1
但是上面的桥接只是在一台物理机如果是多台物理机之间的tap虚拟网卡要通信呢那需要用到vtun两个物理机之前必须各用一个物理网卡做遂道采用socket传输
其原理见: VTun工作原理详解http://blog.csdn.net/wangxing1018/article/details/4169179
具体做法见: Connecting Two Remote Local Networks With Transparent Bridging Techniquehttp://kovyrin.net/2006/04/05/connecting-two-remote-local-networks-with-transparent-bridging/
2012年日晚记因扰了我一个星期的问题两台物理机上的虚拟网卡上的虚机通过两台物理机上的网桥ping不通终于今晚解决了。原因就是我在测试的时候一直用的是qemu的命令测的
qemu-system-x86_64 -boot c -hda /bak/kvmimages/linux-0.2.img -net nic,macaddr=fa:16:3e:48:31:dc -net tap,ifname=tap0,script=no -m 128 -vnc :1 -monitor stdio
vncviewer localhost:5901
这种测法,因为用的是-net tap方式又分布在不同物理机它应该是像如上用连接所以我一直失败。
后来改用libvirt的方式测试成功原因就是libvirt的virsh start 命令应该是自动加了TUN连接 这种做法具体如下
第一台机器:
1)  建立桥接的脚本, 第一台机器有两个网卡eth0连外网对eth1进行桥接成10.0.1.0/24网段同时在桥上设置多的172.16.99.0/24网段。这时候不需要创建给虚机的tap.
#!/bin/sh
#
# script to bring up the tun device in QEMU in bridged mode
# first parameter is name of tap device (e.g. tap0)
# some constants specific to the local host - change to suit your host
#
TAP=tap0
BRIDGE=br0
IFACE=eth1
IP=10.0.1.1
GATEWAY=10.0.1.1
BROADCAST=10.0.1.255
#
# First take $IFACE down, then bring it up with IP 0.0.0.0
#
ifdown $IFACE
ifconfig $IFACE 0.0.0.0 promisc up
#
# Bring up the tap device (name specified as first argument, by QEMU)
#
#tunctl -t $TAP -u `id -un`
#ip link set $TAP address fa:16:3e:48:31:dc
#ifconfig $TAP up
#
# create the bridge between eth0 and the tap device
#
brctl addbr $BRIDGE
brctl addif $BRIDGE $IFACE
#brctl addif $BRIDGE $TAP
#
# only a single bridge so loops are not possible, turn off spanning tree protocol
#
brctl stp $BRIDGE off
#
# Bring up the bridge with IP and add the default route
#
ifconfig $BRIDGE $IP netmask 255.255.255.0 broadcast $BROADCAST
route add default gw $GATEWAY
ifconfig br0:0 172.16.99.108 netmask 255.255.255.0 broadcast 172.16.99.255
另外一台机器,就上面三行粗体行不同,分别为:
IFACE=eth0
IP=10.0.1.2
ifconfig br0:0 172.16.99.109 netmask 255.255.255.0 broadcast 172.16.99.255
2) 创建一个libvirt的虚机配置重点是记得给tap设置地址<mac address='52:54:00:00:01:89'/>
vi /etc/libvirt/qemu/node1.xml
<domain type='qemu'>
<name>node1</name>
<uuid>f5b8c05b-9c7a-3211-49b9-2bd635f7e2aa</uuid>
<memory>393216</memory>
<currentMemory>393216</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='i686' machine='pc-1.0'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-i386</emulator>
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/bak/kvmimages/linux-0.2.img'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' unit='0'/>
</disk>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:00:01:89'/>
<source bridge='br0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<input type='tablet' bus='usb'/>
<input type='mouse' bus='ps2'/>
<graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<video>
<model type='cirrus' vram='9216' heads='1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</memballoon>
</devices>
</domain>
对于第二台机器上上面打黑线的物别注意像uuid与mac搞成不一样的就行了。
3) 执行下列命令启动虚机。
virsh define /etc/libvirt/qemu/node1.xml
virsh dumpxml node1
virsh list
virsh dominfo node1
virsh start node1
virsh shutdown node1
virsh reboot node1
4) 通过vncviewer localhost命令登录虚机设置和默认网关
ifconfig eth0 10.0.1.3 netmask 255.255.255.0 broadcast 10.0.1.255
route add default gw 10.0.1.1
第二台机器上的虚机设置:
ifconfig eth0 10.0.1.4 netmask 255.255.255.0 broadcast 10.0.1.255
route add default gw 10.0.1.1
5) 测试
这时候,你会发现在虚机上
ping -c 1 10.0.1.1
ping -c 1 10.0.1.2
ping -c 1 10.0.1.3
ping -c 1.10.0.1.4
ping -c 1 172.16.99.108
ping -c 1 172.16.99.109
ping -c 1 192.16.99.108 (这个是第一台机器上接外网的第一个网卡的IP)
  上面测试,将第二台机器上的防火墙关了( iptables -F ),同时如果还想让虚机能访问外网的话,还应该:
  在两台机器上都打开转发echo "1"> /proc/sys/net/ipv4/ip_forward
  2)对外网出口设置NAT映射规则
iptables-t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables-save > ipt.save &&cat ipt.save |iptables-restore
  接下来将继续试验最上面的vlan的情况一样的问题
  建vlan的脚本如下 在第二台物理机上记得改一下P其他都与上同测出来的结果是虚机内能互通虚机能访问自已所在的物理机但没能访问远程物理机这点与上面那个测试不一样
ip link add link eth1 name eth1.1000 type vlan id 1000
ip link set eth1.1000 up
#ip tuntap add gw200 mode tap
#ip link set gw200 address c8:3a:35:d7:86:da
#ip link set gw200 up
brctl addbr br0
brctl setfd br0 0
brctl stp br0 off
ip link set br0 address c8:3a:35:d7:86:da
ip link set br0 up
brctl addif br0 eth1.1000
#brctl addif br0 gw200
ip addr add 10.0.1.1/24 dev br0
#ip addr add 10.0.1.1/24 dev gw200
#ip tuntap add tap0 mode tap
#ip link set tap0 address fa:16:3e:48:31:11
#ip link set tap0 up
#brctl addif br0 tap0